Tania Karmakar was a bit nervous when she walked into the campus recruitment interview at her tech school. By the time she left, however, she had the interviewers eating out of her hand. In the course of the long interview, Karmakar mentioned that their apparently secure corporate website was actually quite easy to hack into. “I told them plainly that their system was very vulnerable; just about any hacker can penetrate and wreak havoc in minutes. I even demonstrated how one could shred their security system. That seemed to give them a scare.”
The company hired Karmakar immediately. She got her joining letter while most of her classmates — trained to be software developers — either did not snag a job or had to be satisfied with offer letters (many are yet to get joining letters).
“Students trained to be plain-vanilla developers have been facing problems in this bleak recruitment season,” admits the placement officer (who doesn’t wish to be named) at Karmakar’s college in south Calcutta. “Unless you have some extra qualification — like Tanaya — you can’t grab the attention of recruiters.”
Karmakar’s qualification is not just an “extra something”. She’s an aspiring web penetration tester (or, pentester) — an expert who evaluates the security of a computer system or network by simulating an attack from malicious intruders. “Most security experts or auditors can find holes in the system, but pentesters are a bit ahead — they know exactly the way it can be hacked. It’s an extremely challenging job,” says Abir Atarthy, ethical hacker and co-founder of the Indian School of Ethical Hacking (ISOEH) at Kharagpur. Karmakar trained in pentesting at Atarthy’s institute.
Many of the advantages that make online web applications — from netbanking to online shopping — so convenient also make them incredibly insecure. Hackers are able to use web applications to penetrate the enterprise’s network and access private customer databases. “The resulting identity and data theft has become a major concern for both corporations and consumers,” says Atarthy.
Terry Cutler, a co-founder of Digital Locksmith — a Canada-based company that provides security services to governments and top global companies worldwide — told CareerGraph why web penetration is hot. “Everything is now being built with a web interface. But, most web developers are not coding [the softwares] with security in mind. They are more focused on convenience and ease of use. Moreover, company administrators (mostly overworked and underpaid people) pay the least heed to the extra task of IT security. As a result, they bring webservers online with plenty of holes — vulnerable to misconfiguration attacks,” Cutler says.
Such malicious attacks have become commonplace even in India. According to statistics from the Indian Computer Emergency Response Team (Cert), set up by the Union information technology ministry, 7,450 Indian sites have been defaced between May and July this year. “Hackers have even attacked the sites of Microsoft India and the Defence Research Development Organisation. Recently Algerian hackers laid siege to five government sites,” says Atarthy.
That the recent attacks have led to Indian enterprises pressing the panic button is evident by the number of postings for ‘penetration testing’ on top Indian jobsites. In September, there are over 100 openings. Says Sandip Sengupta, CEO, iSolution software, Calcutta, and an IT security expert, “Companies advertising for pentesters range from top technology multinationals to micro startups. As most companies have moved their critical business process to the web, they need to hire full-time pentesters to keep the massive data safe.”
In the near future the demand for pentesters will far exceed that of developers or network engineers. “The industry needs around 4 lakh experts every year and there is an acute shortage of skilled pentesters,” Sengupta says.
With so many corporate sites, social networks, email services and other web apps needing to be secured, this is a field that will just keep expanding, says Sudhangshu Chauhan, security researcher at Infosec Institute. “The field is not only financially rewarding but extremely interesting,” he says. “After all, who doesn’t enjoy finding flaws in other’s (developers’) work and getting paid for it!”
“Most testers get paid in the range of $100 to $150 an hour,” says Terry Cutler. “A specialist consultant gets $250 an hour or more.”
According to Atarthy, in India pentesters get paid on a per day or project basis. “A three-day project can fetch over Rs 1 lakh. This is the reason most companies are looking for full-time experts,” he says. iSolution’s Sengupta says that the average salary of a pentester is at least 20 per cent higher than that of a software developer. “Once you become a seasoned tester, and if you are considered an expert in the domain, you can earn millions as a security consultant and contribute to high-paying crowdsourcing platforms like HackAServer for testing applications for different companies,” says Chauhan. And there always is the opportunity to found a startup and rise a notch.
But there is a downside too. “There’s always the risk of being branded a cybercriminal if you point out the holes in a system voluntarily,” says Atarthy. However, testing a site with permission from the administrator is not illegal. Says Cutler, “The biggest challenge is that some managers don’t feel the urgency of bucking up IT security unless their sites are under attack. They try to sweep the issue under the rug feeling ‘it will never happen to us’.”
Notwithstanding these challenges, the field is growing by leaps and bounds, thanks to more and more attacks by infiltrators both from inside and outside big firms. Which is why youngsters like Karmakar have plenty of takers in this sunrise sector.
- Thorough knowledge of JSP/Servlet/ ASP.net/PHP
- B.Tech(CS/IT)/MCA (optional)
- Strong in any scripting language (such as python)
- Idea of web technologies like Lamp